For organizations of any size, making sense of the constantly evolving cyber risk landscape can seem daunting. With new threats materializing on a constant basis, it can be difficult for organizations to efficiently allocate resources and respond to security incidents.

In BakerHostetler's newly-released 2018 Data Security Incident Response Report, we use our experience from more than 560 security incidents to offer some suggestions on how to minimize your cyber risk footprint, including reduced liability following a security breach, lower costs investigating incidents, and a reduced likelihood for lawsuits and regulatory actions in the aftermath. While new threats to systems and data continue to emerge, the means to secure these critical assets and minimize the risk to your organization often comes down to basic hygiene practices that many organizations fail to utilize.

In 2018, the leading cause of security incidents continues to be employee negligence. By implementing a comprehensive security awareness and training program, organizations can reduce the frequency and severity of security incidents. In particular, organizations should emphasize the dangers of phishing emails and provide practical information to employees on how to recognize and report phishing emails. However, because people are fallible, training will not always be enough and some technical safeguards should be in place, including:

  • Encryption solutions to secure data both at rest and in transit;
  • Strong multi-factor authentication controls and updated employee password guidance;
  • Patch management procedures to ensure critical vulnerability patches are installed promptly;
  • Endpoint monitoring and intrusion detection and prevention systems; and
  • Hardened remote desktop access rights on any Internet-facing systems.

While the above solutions are not foolproof, they can at least make your organization a more hardened target. Further, even if you cannot prevent unauthorized access, you can limit the potential exposure of data if an intruder breaks through your perimeter defenses.

Ensure that your organization has established retention policies to delete or purge sensitive information that your organization no longer needs. By removing outdated and unnecessary data, you can eliminate a potential target of intrusion and free up network bandwidth and computer processing power to improve your security posture elsewhere in your organization. Identify your organization's most sensitive or valuable data and segregate that data into a separate subnetwork(s) and harden the defenses so that if an attacker does access your company's network environment, you limit their ability to view or acquire sensitive data. Ensure that these subnetworks are only accessible to those in your organization with a legitimate need to access them. In fact, limit all systems and information access by your organization's employees to a need-to-know basis. Remove any administrative user rights from regular employees and restrict the number of privileged accounts to limit the potential damage an intruder can do in your environment if they successfully exploit a user account.

Once you have hardened your external defenses and limited your exposure surface, train your organization to detect and respond to incidents faster and more efficiently. From 2016 to 2017, we saw that the average time from occurrence of an incident to discovery increased from 61 days to 66 days. While organizations are becoming better at detecting security incidents internally, delays in detecting and responding to security incidents can often complicate forensic investigations, as standard logging retention policies usually mean that less evidence is available on the initial intrusion. Endpoint monitoring and properly configured SIEM tools can help provide real-time alerts of unauthorized access and improved visibility into systems. When combined with a robust enterprise incident response plan (IRP), these tools can enable organizations to more quickly identify potential network intrusions and implement containment measures to eliminate the intruder's unauthorized access to sensitive data and critical systems.

Further, organizations need to ensure that they are continually improving upon their response capabilities by training employees, at least annually, on how to effectively utilize the IRP through mock tabletop exercises that simulate real-world security incidents. Through these training exercises, the incident response team can learn to make better decisions and communicate more effectively when responding to security incidents, while the organization can better calibrate security metrics to establish realistic goals.

To account for those risks that cannot be mitigated or controlled through the measures described above, organizations should consider purchasing cyber insurance coverage to cover potential costs from security incidents and losses from business disruption. These policies will often provide organizations with access to additional risk management resources and guidance on how to prevent and respond to security incidents. In choosing the right policy, organizations should also consider the appropriate coverage limits and the claims experience of the insurer. To determine the proper policy coverage for your organization, consult your most recent risk assessment to identify the threats most likely to affect your organization and identify the most critical gaps in your security architecture and response capabilities, particularly those relating to vendors and other third-party service providers.

Cyber risk management and mitigation require an enterprise-wide investment starting from the top; however, too often this critical competency is siloed into IT functions without the appropriate executive oversight. Organizations are left scrambling to respond in the aftermath of a security incident, which can increase costs and disrupt operations. With a better understanding of the risks and how to appropriately respond, organizations can help avoid security incidents and reduce the costs of responding. Start by thinking about how you can increase awareness within your organization so as not to be caught off guard should you find yourself the target of a cyberattack.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.